private trust anchor
Michael W. Lucas
mwlucas at blackhelicopters.org
Sun Feb 10 23:35:58 UTC 2013
On Sun, Feb 10, 2013 at 11:26:27PM +0000, Evan Hunt wrote:
> On Sun, Feb 10, 2013 at 05:57:42PM -0500, Michael W. Lucas wrote:
> > Is there a way to set up a private trust anchor for internal-only
> > zones with BIND 9.9?
> >
> > I have some local and RFC1918 zones that I'd like to secure. It seems
> > I should be able to configure a private trust anchor and use that key
> > to sign these zones.
> >
> > I've found, related docs, like draft-jabley-dnssec-trust-anchor-06,
> > which has great gobs of theory, but nothing on how to actually do this
> > with BIND.
> >
> > Has anyone done this? Or is this just daft?
>
> In my experience the two aren't mutually exclusive, but yes, it does work.
> Create keys for your local zones, sign them, and put the KSKs into the
> resolver's named.conf in a "trusted-keys" statement. Then configure the
> zones as "type forward", with "forwarders" pointing to the authoritative
> server(s) for your zones. The resolver will then forward queries for those
> names to the authoritative servers, and validate the responses.
>
> (If those weren't enough bread crumbs to show you the way, I can expand
> on this.)
I specialize in daft practicality, thank you.
Sounds fairly straightforward. I appreciate the hints, should be able
to take it from here.
Thanks much!
==ml
--
Michael W. Lucas
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
mwlucas at michaelwlucas.com, Twitter @mwlauthor
More information about the bind-users
mailing list